Portable electronic devices, such as smartphones, tablet computers, digital music players and the like, have been developed that include desirable functionality and thus the number of mobile device users and/or owners keeps growing. Such mobile devices can store all types of information, and can perform many different types of functions for users. The overall popularity of such mobile devices, especially smartphones, has led to the development of processes for using them to conduct financial transactions, for example, transmission of a payment between a payer (a consumer or payment card account holder or cardholder) and a recipient (or payee, such as a merchant or another cardholder).
Electronic payment systems have been developed that provide financial transaction services to merchants and consumers. These payment systems typically provide financial transaction processing that protects the primary account numbers (PANs) (typically a sixteen-digit number) associated with financial accounts of consumers and of merchants from access by vandals by providing “tokenization” services. Tokenization prevents the unauthorized access to PANs by transforming a PAN into a token for use in the payment process, and thus, tokens have been defined as “surrogate/alternate values that replace PANs” in part of a payment system. Tokenized data typically includes, but is not limited to, a token PAN, and session keys or cryptographic keys that can be used a single time, or for a limited time, during a transaction. Once the tokenized card credentials are delivered into the consumer's device or wallet, the consumer can then use them to make a tokenized transaction at a merchant location and/or website. Typically, the consumer either taps a contactless terminal with the mobile device that has a mobile payment application containing tokenized credentials to make an in-store transaction, or uses a mobile payment application or web wallet to make an in app or online transaction using tokenized credentials. The token PAN, which typically has the same format as the PAN and is associated with the cardholder's sixteen-digit account number, is used to complete the purchase. The token is generated and managed by a token service provider (TSP), which de-tokenizes the token to obtain the PAN for use in processing the purchase transaction. Such processing improves the payment security of the transaction, since only the TSP, payment network and issuer/issuer processor see the actual PAN; the merchant and acquirer only see the token PAN.
Processes are also known wherein a payer utilizes a digital camera component of his or her mobile device (such as a smartphone or tablet computer) to scan a code, such as a barcode (a one-dimensional or 1D code), or a quick-response (QR) code (a two-dimensional or 2D barcode), for example, at a merchant store to initiate a purchase transaction. Barcodes and QR codes are machine-readable codes (either printed on paper or on another surface, or displayed on a display component). A barcode typically consists of lines of varying thickness to convey information, whereas a QR code is typically a square shape that consists of an array of black and white squares.
Conventionally, QR codes are used to store uniform resource locators (URLs) or other information that can be read by a camera component of a consumer's mobile device, which mobile device also includes a QR code application. For example, a retailer may have a sticker or label or sheet of paper having a merchant QR code printed thereon affixed to a countertop near a cash register (or on the cash register) at the merchant's retail store. In some embodiments, the label or sticker having the merchant QR code printed on it may be provided to the merchant by a payment processing company (or by some other trusted third party), and typically includes merchant identification data. In typical implementations, the merchant QR code includes a merchant payment account number (associated with a financial account of the merchant) for receiving payments in the clear. In an example purchase transaction involving use of a merchant QR code, the consumer uses a mobile payment application (which is configured for reading and interpreting QR code data) and the camera component of his or her mobile device to scan the merchant QR code, and then inputs a purchase transaction amount (the cost or price of the goods or services). The consumer's mobile device then transmits a payment request so that funds can be transferred from the consumer's payment card account to the merchant's payment account (which may be processed by a payments system such as the Mastercard MoneySend™ or Mastercard Send™ platforms). For such processing to be successful, both the merchant and the customer must be registered with a payments platform that accepts QR code transactions.
However, it is fairly simple for vandals to generate a malicious QR code by using, for example, an object-oriented computer programming language such as JavaScript, or by creating a link that tricks a user into utilizing a website that contains embedded malware. Thus, vandals have been able to use malicious QR codes to trick consumers into providing financial information and/or identity information, which a vandal can then use for fraudulent purposes such as, but not limited to, stealing money, opening fraudulent financial accounts, and/or stealing the user's identity to obtain fraudulent loans and the like. In addition, QR code systems are susceptible to “man in the middle” and/or “replay” attacks, wherein a hacker or other vandal intercepts and/or re-directs the consumer's payment before it reaches the merchant's payment account, or reuses the same credentials to make a duplicate payment. Most QR code hacks involve the hacker replacing the merchant's receiving account with the hacker's account without the knowledge of the merchant.
Accordingly, a need exists for a method and a system that provides a secure QR code for use in a purchase transaction that prevents phishing attacks and/or hacking of the QR code and/or other malicious use of such a QR code, and which method and system are easy and inexpensive to use and/or implement. In addition, a need exists for validating the secure QR code, thereby removing the risk of QR code replacement attacks.